CCE INLs New Approach to Securing Critical Industrial Infrastructure

  • Tuesday, 02 Oct 2018 3:30PM EDT (02 Oct 2018 19:30 UTC)
  • Speakers: Phil Neray, Andy Bochman

"If you're a critical infrastructure provider, you will be targeted. And if you are targeted, you will be compromised."

Join Andy Bochman, Senior Grid Strategist for National & Homeland Security at the Idaho National Laboratory (INL), as he describes a radical new methodology for securing critical systems.

Called consequence-driven cyber-informed engineering (CCE), INL's new approach consists of four key steps:

1.- Identify Your 'Crown Jewel ' Processes - Critical functions or processes whose failure would be so damaging that it would threaten your company's very survival. 'An example would be a targeted attack on the safety systems in a chemical plant or oil refinery that would result in a catastrophic safety and environmental incident.

2.- Map the Digital Terrain - Map all the digital pathways that would be exploited by adversaries to compromise your "must not fail" processes. This includes all the assets, communication paths, vulnerabilities, and supporting people and processes (including 3rd-party suppliers) involved in causing a high-consequence event.

3.- Illuminate the Likely Attack Paths - Identify the most likely paths attackers would take to reach the targets identified in step 1, ranked by degree of difficulty.

4.- Generate Options for Mitigation and Protection - Identify and prioritize options for engineering-out highest-consequence cyber risks. For example, by minimizing the number of pathways to your most critical assets, you can make it easier for your team of network defenders to quickly detect and respond to abnormal traffic. But it can also include adopting low-tech backstops such as inserting trusted people into critical processes.

Phil Neray, CyberX's VP of Industrial Cybersecurity, will also discuss how a modern OT cybersecurity platform can provide new visibility into your digital terrain, prediction of the most likely attack vectors, and a spectrum of mitigation and protection options for reducing key risks to your company's most critical functions.